Bank-fraud software takes aim at government secrets

SAN FRANCISCO, Feb 1 (Reuters) - The world of criminal computer hacking has traditionally been far removed from the cyber-spying efforts of governments, but security experts say several recent cases suggest the lines are starting to blur.

Enterprising hackers are now using tools built for raiding online bank accounts to target corporate and government secrets, either on a for-hire basis or on speculation that government documents could be valuable in underground markets, according to security consultants.

Two weeks ago, security firm Kaspersky Lab announced that it had discovered a spyware campaign targeting embassies and other government offices around the world that was sophisticated enough to remain undetected for five years.

The unidentified leaders of the hacking group were Russian speakers, judging from comments in the code or commands that were in Russian, Kaspersky said. In addition, the country most affected by the hacking campaign was also Russia. Kaspersky theorized that the gang was offering services or auctioning off what it found.

“Such information could be traded in the underground and sold to the highest bidder, which can be, of course, anywhere,” Kaspersky wrote.

Jaime Blasco, a researcher at California’s AlienVault Inc who worked with Kaspersky on the case, said Thursday that some Russian hackers who had previously harvested credit and debit cards “have evolved into this new business.”

In another case, security company McAfee said a version of a program developed to steal bank account credentials from consumers, known as the Citadel Trojan, had been turned on city halls in Poland and provincial offices in Japan.

“It sounds to me like a for-hire data-gathering campaign,” said researcher Ryan Sherstobitoff of McAfee, which is owned by chip manufacturer Intel Corp. McAfee said it was unclear what had been taken from the public offices but that emails were one likely target.

The Citadel Trojan is still mainly used for bank fraud. Its code is based on another family of financial spyware, called Zeus, that has been blamed for hundreds of millions of dollars in fraudulent account transfers.

Zeus too has had multiple uses. In 2010, security firm Netwitness found a variant of it that was sent via trick emails to addresses ending in “.mil,” for the U.S. military.

It acted like the regular Zeus, capturing bank passwords as they were typed. But it soon started looking for electronic documents on the infected machines and spiriting them away.

Spying attacks that use readily available criminal hacking tools might also be the work of governments seeking to cover their tracks, U.S. government and private researchers say.

Such spies might infiltrate or rent time on already-compromised networks of machines, known as botnets, that are controlled by criminals who steal data, send spam or take down websites with so-called denial-of-service attacks.

Some botnets have millions of machines and can contain plenty of data with intelligence value. Using them adds a layer of deniability, said Christopher Soghoian, a technologist at the American Civil Liberties Union.

“No one’s going to accuse the government of using military-grade hacking tools when they are already infected,” Soghoian said.